Aroflex is probably the most successful cipher machine
ever built by Philips Usfa. The machine was developed
between 1976 and 1982 and more than 4500 units were produced.
It features hardware-based encryption with NATO-style key management,
and was used by NATO,
the Dutch Government, the Dutch Department of Defence,
and the governments of some friendly
nations, such as Norway and Canada.
Aroflex is also known as UA-8116,
BID/1100 and
T-1000CA.

The device consists of a Siemens T-1000 tele­printer,
with a crypto unit in a black aluminium shell mounted to its bottom.
In the image on the right, the crypto unit is visible
as a low-profile black cabinet, with a red button and two
physical key locks. One lock is used for the INSERT key whilst
the other one is for the SPECAT key.
This black and white photograph was used by Philips for promotional
and instructional purposes [1].

Whenever the cipher was compromised, e.g. when an army unit was
raided by the enemy, the operator just had to press the
red button
at the front of the crypto unit to flush the
keys and all stored messages.
This is called the ZEROIZE key.

Aroflex was a highly automated encryption/decryption machine for
rapid, reliable and efficient off-line operation. It could also
be used as a stand-alone message tape preparation unit.
Some machines were equiped with appropriate interfaces to allow
them to be connected directly to the line.
The T-1000 could be operated at 50, 75 and 100 baud on-line,
and 100 baud off-line.

Aroflex is crypto compatible with NATO
CEROFF equipment,
such as RACE
and Picoflex.
As such, it complies with the the symmetrical
ACP 127
standard (Allied Communications Publication) [8].
The plaintext was converted into 5-letter groups, with 10
groups on each line. The Aroflex could store upto 6 pages
(i.e. 120 lines of 10 crypto groups each) in its internal memory.
The name Aroflex is probably derrived from Automatic Rapid
Offline Encryption Device.
In the early 1990s, Aroflex was succeeded by the
Aroflex II (T-1285CA), but it came too
late to be successful.

Philips version

When the original Aroflex machine for the NATO evaluation CEROFF was ready,
Philips developed a number of variants, such as a line-connected mode,
a civil version (sold by Siemens), customer-unique key generators
and numerous variations in operation.
All machines for NATO/SHAPE were delivered as completely assembled machines,
including the Siemens T-1000 teleprinter (telex).

The image on the right shows two essential parts of the Aroflex.
The large board on the left is the mixer. It combines plaintext
and key stream into ciphertext. Blue resistor packs
are inserted into the sockets at board's edges,
as a temporary measure to protect the highly sensitive CMOS chips
against static discharge when in storage.

The yellow/brown block on the right is the actual crypto unit.
It consists of a printed circuit board with a number of
OQ4406 or OQ4407 custom chips.
As it contains CMOS parts, resistor packs are installed to protect
it against static damage.

Apart from NATO, Aroflex was also sold to various departments of
the Dutch government and also to the authorities of some friendly nations.
As Philips Usfa had officialy won the CEROFF bidding, they received
purchase orders from SHAPE
and from most NATO countries, making Aroflex arguably Usfa's
most successful cipher machine.
It was very popular in Germany, Canada and Turkey.
By the end of 1982, more than 2500 units had already been produced [4].

Siemens version
T-1000CA

In order to allow Siemens
to sell the civil version of the Aroflex,
Philips supplied the bare crypto module to Siemens. In this case, the
combination was called T-1000-CA, in which the extension CA
stands for Cryptographical Application.
This variant was not sold to NATO customers.

In Jane's Military Communication, edition 1986,
Siemens offers the machine as the T-1000CA,
with a black (rather than white) body stored in a matching flight-case [3].
According to an internal Philips Usfa memo [4], just one batch of
1500 crypto add-on modules was made for Siemens.

Note that the Siemens T-1000CA is electrically identical to the
standard Philips Aroflex, but that the actual crypto heart is different.
The one in the T-1000CA is built around OQ4407 custom chips, whereas the
Philips variant (that was used by NATO) contains the pin-compatible OQ4406.

The image above shows the interior of the Siemens crypto heart
that was based on the OQ4407.
The algorithm of the OQ4407 (and hence the Siemens T-1000CA)
is substantially weaker than that of the OQ4406 and could be broken
with the right means, exploiting the redundancy in the encyphered
message preamble. This would typically involve solving a set of
binary equations, an exponentially large number of times, a task that was
not trivial at the time.

Rumour has it that Philips designed and developed a special chip to speed up the
analysis of OQ4407-based crypto-logics upon request of the Dutch authorities.
The cryptograms produced by the T-1000CA machines,
typically exhibit bias in the enciphered message preamble, an un­necessary
shortcoming by design. This was certainly known by the agencies of other countries.

Also note that the crypto-logic with the OQ4407 had only one 16-pin connector
by which it was connected to the mixer board, whereas the real Aroflex
crypto-logic with the OQ4406 had two such connectors. The same is true for the
mixer board. It is therefore possible to identify the chips inside the
crypto-logic without opening them. One cable: OQ4407, two cables: OQ4406.

Test device

This small unit was used by Philips and Siemens to quickly test
the voltages inside the Aroflex. The unit consists of a small PCB
that is potted in epoxy inside a black plastic enclosure, with
six red LEDs at one side.
Each LED represents a voltage or a signal.
The other side has a 16-pin header
that plugs into an internal socket.

The diagnostics unit was known by its National Stock Number
NSN 6625-12-179-5010. The Siemens designator was S22711-P105 GS1.
When unused, it was stored in a wooden box.

Key setting

Aroflex can store upto 26 keys:

23 keys for 'ordinary' traffic.

2 SPECAT (Special Category) keys (see note below).

1 for encryption/decryption of the system indicators (i.e. the serial numbers of each key).

A new key is easily entered and takes the following steps:

Place the INSERT-key in the leftmost lock and turn it clockwise.

Enter the number of the required key store (address).

Enter (from the key list) the serial number of the key, the keying variables and the check word.

Remove the INSERT-key.

The two SPECAT keys can only be entered and/or used if the physical
SPECAT-key is entered in the rightmost lock and turned clockwise.

As an alternative to the above procedure, it was also possible to
enter the keys via a paper tape that was read by the built-in tape reader.
In addition, the crypto unit has a special connector through which
the keys can be entered using a 'key filler' or a 'key gun'.

History

In 1974, NATO was looking for a replacement for the ageing American
KL-7 cipher machine,
also known as ADONIS or POLLUX. They initiated an evaluation under the
code name CEROFF and invited several
manufacturers to take part in the bidding.
Aroflex was Philips' contribution to the bidding.
Another bidder was the STK from Norway,
who offered RACE (KL-51) as an alternative.

When designing Aroflex, Philips wanted to use an existing teletype
machine (telex) as its basis, and expand it with cipher capability.
After dismissing AEG
and PTI as possible partners in the project,
they finally selected the Siemens T-1000.
It was a modern telex machine which offered unparalleled expansion
possibilities.

The downside of the T-1000 was the rather open construction,
causing unwanted emission of radio signals (EMC). It took an enormous
effort by both Siemens and Philips Usfa, to make the combined machine
EMC and TEMPEST proof [4].

The outcome of the NATO CEROFF bidding match was inconclusive and
ended in a remittance between Aroflex
and the Norwegian RACE.
NATO chose for a split-procurement and left it to
the end-user to decide what equipment to order.
As a result, Philips allowed RACE to use
the Aroflex algorithm, making both machines compatible [4].
Eventually, Aroflex turned out to be the more popular machine in
Europe and Canada [5], whilst the more robust
RACE was adopted by the US.

Assembly

In 2009 we discovered a series of black & white photographs that were
considered to have been lost when Philips Crypto BV
was dissolved in 2003. The pictures show detailed images of the various
assembly stages of the Aroflex. They were probably created for the
service manual.

The image on the right shows an exploded view of the Aroflex' crypto
add-on. It consists of four PCBs and a crypto-unit. The narrow board
at the top left is the processor board. It contains an 8080 microprocessor
and connects to the other boards via 6 flat-cables with 16 lines each.

The three boards in the middle are (from top to bottom) the memory-board,
the mixer-board and the interface-board. The latter also contains the
switched-mode power supply unit. All the voltages needed for the electronics
are derived from a single 24V source inside the T-1000.

The small grey rectangle at the right is the crypto-module,
also known as the crypto-heart. It contains a number of custom chips
and was classified as confidential at the time.
All units are connected together by means of a series of short flatcables,
with plugs that fit into an IC socket.

Compromise

During the Cold War, Aroflex, or actually the Siemens T-1000CA,
was researched extensively
by the Russian KGB and the East-German Ministerium für Staatssicherheit
(MfS or Stasi). In 1982 or 1983 they managed to get hold of a machine that had
mysteriously disappeared from a show.
In 1986/1987, Department XI of the Stasi spent 30% of its capacity on
targetting the machine.
They tried to exploit the machine's unwanted emanations
(TEMPEST),
but were not successful [6].

Although they didn't manage to break the machine, they had a constant
supply of keylists from someone at NATO. It was the same person who had
supplied them with the ELCROTEL keylists from 1972 onwards [7].
Although this means that the key was compromised,
it does not mean that the machine was compromised as well.
As far as we know, Aroflex was never broken.

Compatible machines

Race
KL-51

Aroflex was not the only machine that took part in the NATO bidding
for CEROFF. In fact, the evaluation was inconclusive and listed both
Aroflex and the Norwegian RACE as winners.

As a result, Philips made the Aroflex algorithm available to
STK,
who subsequently implemented it in RACE. Although in practice Aroflex
was the real winner, with most machine sold, RACE was adopted by the
US as the KL-51.

For other NATO bidding races in 1976, known as MERCS
and CALL SIGN, Philips developed the portable and modular
Picoflex in co-operation with Telefunken.
It was crypto compatible with Aroflex and could be used
over standard PSTN telephone lines and via radio.

Picoflex was introduced in 1982, but only modest quantities were
built over the years.

A modified Siemens T-1000 teleprinter was used also by Crypto AG
(Hagelin) for its HC-550 and HC-580
cipher machines. Like Aroflex, these machines had an external
crypto unit bolted to its bottom. A simpler solution was made by the
German company Tele Security Timmann (TST).

In their machines, the Leitungs-Anpassungs-Teil board
(LAT or line adapter) of the Siemens T-1000 was replaced by an
OEM-version of Timmann's universal
TST-9669 crypto card[9].

Please note that although the Hagelin and TST machines
visually resemble the Aroflex, they were not compatible
with Aroflex nor with any other NATO cipher machine.
Each manufacturer used their own cryptographic algorithm.

Algemeine Elektricitäts Gesellschaft
Former German manufacturer of electronic equipment and components.
Started co-operation with Telefunken in 1967 and with Siemens in 1969,
trading as AEG Telefunken.
More...

CEROFF

Cipher Equipment Rapid Off-Line
Code name of a NATO evaluation in 1974 to find a replacement for the ageing
KL-7 cipher machine. Examples of CEROFF compatible
equipment are Aroflex,
RACE (KL-51) and
Picoflex.

Rapid Automatic Cryptographic Equipment
Acronym used for the NATO KL-51 cipher machine that was used for
NATO CEROFF communication alongside the Philips Aroflex.
RACE was manufactured by
Standard Telefon og Kabelfabrik A/S
in Norway.

SHAPE

Supreme Headquarters Allied Powers Europe
Headquarters of the Allied Command Operations (ACO), one of NATO's
two strategic military commands.
(Website)

SPECAT

Special Category

ZEROIZE

General expression for deleting the cryptographic keys and other variables
from an encryption device in case of a compromise or seizure.

Versions

To keep track of the various (incompatible) Aroflex and T-1000 variants,
Philips used a complex scheme of model numbers, version designators and
internal 12NC numbers. Generally speaking, most Aroflex machines were marked
as model UA-8116, but the version designator (e.g. '/02') identified the
actual variant and, hence, the crypto-logic. In addition, some machine
were given a completely different module number.
These models are currently known: